Mass. Data Security Law Says "Thou Shalt Encrypt"
emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"
It's a little irritating to read all the comments about how this is really easy, standard industry practice, etc. Please give me a fucking break.
Suppose you're running a church newsletter. You're not computer-literate. You want to send a newsletter. You write out the names of church members and their mailing addresses on a sheet of paper, and accidentally leave it at the copy shop. This is legal.
Now, you do the same thing on a computer that you keep locked in your church. You use it to print out labels, you put the labels on envelopes, and you put the envelopes in the mail. Is it really reasonable that you've broken the law here? Most of this information is available in public databases anyway. You don't know "encryption" from your asshole. Your computer runs Windows 98, and there's no network.
To my mind, if "creating a list on paper" is legal, "creating a list in a computer" should be too. If you want to hit %%loss or misuse%% of personal information, write a law that does that. Penalize a lack of security, don't legislate what security is, because every situation is not the same.